Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Infected Pc


  • Please log in to reply
12 replies to this topic

#1 wally13

wally13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 23 November 2005 - 12:35 PM

I have a Win 2000 PC that is totally infected. Pop Ups from oas-central.realmedia and others keep coming. I have installed and run the following: Ad-Aware SE, Spybot, Spyware, Registry Mechanic, Microsoft Anti-Spyware, House Calls, e-Pest Patrol and I am tired of nothing working.

On boot-up the machine can't find blank.exe and 2 programs are unable to run - thanks.exe and eula.htm
The Zango toolbar installation screen kept coming up as well upon boot-up but I installed it and then deleted it. I don't know if it will come back again after I reboot.

Please take a look at my Hijackthis log for any malicious threats. Thanks so much in advance and Happy Thanksgiving to you!

Logfile of HijackThis v1.99.1
Scan saved at 9:35:35 AM, on 11/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\msniu3.exe
C:\WINNT\system32\msniq.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\mg.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger 323] msniu3.exe
O4 - HKLM\..\Run: [MSN Messenger If2] msniq.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\RunServices: [MSN Messenger 323] msniu3.exe
O4 - HKLM\..\RunServices: [MSN Messenger If2] msniq.exe
O4 - HKCU\..\Run: [MSN Messenger 323] msniu3.exe
O4 - HKCU\..\Run: [MSN Messenger If2] msniq.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINNT\Windows Update Setup Files\ie6setup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: Applets - C:\WINNT\system32\f8l0li3m18.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:38 AM

Posted 23 November 2005 - 12:37 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#3 wally13

wally13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 23 November 2005 - 01:12 PM

Here is the log from Webroot Spysweeper.

********
9:50 AM: | Start of Session, Wednesday, November 23, 2005 |
9:50 AM: Spy Sweeper started
9:50 AM: Sweep initiated using definitions version 574
9:50 AM: Starting Memory Sweep
9:50 AM: Found Adware: icannnews
9:50 AM: Detected running threat: C:\WINNT\system32\f8l0li3m18.dll (ID = 83)
9:51 AM: Detected running threat: C:\WINNT\system32\sasbkup.dll (ID = 83)
9:52 AM: Memory Sweep Complete, Elapsed Time: 00:02:26
9:52 AM: Starting Registry Sweep
9:52 AM: Found Adware: ebates money maker
9:52 AM: HKLM\software\microsoft\windows\currentversion\uninstall\tmu\ (1 subtraces) (ID = 125600)
9:52 AM: Found Adware: iepagehelper
9:52 AM: HKLM\software\inetdctr\ (23 subtraces) (ID = 128109)
9:52 AM: HKLM\software\microsoft\windows\currentversion\app paths\idctrrun\ (2 subtraces) (ID = 128111)
9:52 AM: HKLM\software\microsoft\windows\currentversion\app paths\idctrsys\ (2 subtraces) (ID = 128112)
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: Found Adware: zenosearchassistant
9:52 AM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\ (2 subtraces) (ID = 147930)
9:52 AM: Found Adware: findthewebsiteyouneed hijacker
9:52 AM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
9:52 AM: Found Adware: safeguard protect
9:52 AM: HKLM\software\safeguard protect\ (4 subtraces) (ID = 879722)
9:52 AM: HKU\.default\software\safeguard protect\ (2 subtraces) (ID = 912151)
9:52 AM: Found Adware: dollarrevenue
9:52 AM: HKLM\software\microsoft\drsmartload\ (2 subtraces) (ID = 916795)
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: Found Adware: 180search assistant/zango
9:53 AM: HKU\S-1-5-21-861567501-789336058-725345543-500\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\zango\ (1 subtraces) (ID = 554173)
9:53 AM: HKU\S-1-5-21-861567501-789336058-725345543-500\software\safeguard protect\ (21 subtraces) (ID = 832657)
9:53 AM: Found Adware: begin2search hijack
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\ || searchurl (ID = 104274)
9:53 AM: Found Adware: cws-aboutblank
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
9:53 AM: Found Adware: downloadplus
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\0x7a69\ (8 subtraces) (ID = 125274)
9:53 AM: Found Adware: downloadware
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\webinstall\ (3 subtraces) (ID = 125364)
9:53 AM: Found Adware: swimsuitnetwork
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\webinstall\ (3 subtraces) (ID = 125364)
9:53 AM: Found Adware: e2g
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\ptech\ (1 subtraces) (ID = 125528)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
9:53 AM: Found Adware: webrebates
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (5 subtraces) (ID = 125589)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\extensions\{6685509e-b47b-4f47-8e16-9a5f3a62f683}\ (5 subtraces) (ID = 125589)
9:53 AM: Found Adware: ezula ilookup
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\web offer\ (10 subtraces) (ID = 126300)
9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 AM: Found Adware: my daily horoscope
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\enconfidence\ (4 subtraces) (ID = 135386)
9:53 AM: Found Adware: networkessentials
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\hopper\ (18 subtraces) (ID = 136157)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\updater\ (1 subtraces) (ID = 136178)
9:53 AM: Found Adware: privacyscan
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\privacy champion\ (1 subtraces) (ID = 136898)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\windows\currentversion\run\ || privacyscanner (ID = 136899)
9:53 AM: Found Adware: whenu
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\whenu\ (ID = 140455)
9:53 AM: Found Adware: search-exe hijacker
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\searchurl\ (ID = 140934)
9:53 AM: Found Adware: ist sidefind
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
9:53 AM: Found Adware: twain-tech
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\multimpp\ (6 subtraces) (ID = 145342)
9:53 AM: Found Adware: spy deleter adware
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\extensions\cmdmapping\ || {fb74c951-aca1-4e33-a94c-a9261eb2ccb7} (ID = 610295)
9:53 AM: HKU\WRSS_Profile_S-1-5-21-861567501-789336058-725345543-1000\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
9:53 AM: Registry Sweep Complete, Elapsed Time:00:00:17
9:53 AM: Starting Cookie Sweep
9:53 AM: Found Spy Cookie: 888 cookie
9:53 AM: administrator@888[1].txt (ID = 2019)
9:53 AM: administrator@888[2].txt (ID = 2019)
9:53 AM: Found Spy Cookie: yieldmanager cookie
9:53 AM: administrator@ad.yieldmanager[2].txt (ID = 3751)
9:53 AM: Found Spy Cookie: specificclick.com cookie
9:53 AM: administrator@adopt.specificclick[2].txt (ID = 3400)
9:53 AM: Found Spy Cookie: adprofile cookie
9:53 AM: administrator@adprofile[2].txt (ID = 2084)
9:53 AM: Found Spy Cookie: ask cookie
9:53 AM: administrator@ask[1].txt (ID = 2245)
9:53 AM: Found Spy Cookie: azjmp cookie
9:53 AM: administrator@azjmp[2].txt (ID = 2270)
9:53 AM: Found Spy Cookie: cassava cookie
9:53 AM: administrator@cassava[1].txt (ID = 2362)
9:53 AM: Found Spy Cookie: military cookie
9:53 AM: administrator@forums.military[1].txt (ID = 2997)
9:53 AM: administrator@military[1].txt (ID = 2996)
9:53 AM: Found Spy Cookie: partypoker cookie
9:53 AM: administrator@partypoker[2].txt (ID = 3111)
9:53 AM: Found Spy Cookie: adjuggler cookie
9:53 AM: administrator@rotator.adjuggler[1].txt (ID = 2071)
9:53 AM: Found Spy Cookie: videodome cookie
9:53 AM: administrator@videodome[1].txt (ID = 3638)
9:53 AM: administrator@www.888[2].txt (ID = 2020)
9:53 AM: Found Spy Cookie: upspiral cookie
9:53 AM: administrator@www.upspiral[2].txt (ID = 3615)
9:53 AM: administrator@yieldmanager[2].txt (ID = 3749)
9:53 AM: kalei@888[2].txt (ID = 2019)
9:53 AM: Found Spy Cookie: adecn cookie
9:53 AM: kalei@adecn[2].txt (ID = 2063)
9:53 AM: kalei@adopt.specificclick[2].txt (ID = 3400)
9:53 AM: Found Spy Cookie: about cookie
9:53 AM: kalei@adoption.about[2].txt (ID = 2038)
9:53 AM: Found Spy Cookie: ads.businessweek cookie
9:53 AM: kalei@ads.businessweek[1].txt (ID = 2113)
9:53 AM: Found Spy Cookie: vendaregroup cookie
9:53 AM: kalei@ads.vendaregroup[2].txt (ID = 3635)
9:53 AM: Found Spy Cookie: bpath cookie
9:53 AM: kalei@ads18.bpath[2].txt (ID = 2321)
9:53 AM: kalei@ask[1].txt (ID = 2245)
9:53 AM: kalei@azjmp[1].txt (ID = 2270)
9:53 AM: Found Spy Cookie: a cookie
9:53 AM: kalei@a[1].txt (ID = 2027)
9:53 AM: Found Spy Cookie: banners cookie
9:53 AM: kalei@banners[1].txt (ID = 2282)
9:53 AM: Found Spy Cookie: centralmedia cookie
9:53 AM: kalei@centralmedia[1].txt (ID = 2373)
9:53 AM: Found Spy Cookie: columbiahouse cookie
9:53 AM: kalei@columbiahouse[2].txt (ID = 2443)
9:53 AM: Found Spy Cookie: tickle cookie
9:53 AM: kalei@cookie.tickle[2].txt (ID = 3530)
9:53 AM: Found Spy Cookie: 360i cookie
9:53 AM: kalei@ct.360i[1].txt (ID = 1962)
9:53 AM: Found Spy Cookie: did-it cookie
9:53 AM: kalei@did-it[1].txt (ID = 2523)
9:53 AM: Found Spy Cookie: clickandtrack cookie
9:53 AM: kalei@hits.clickandtrack[2].txt (ID = 2397)
9:53 AM: Found Spy Cookie: homestore cookie
9:53 AM: kalei@homestore[2].txt (ID = 2793)
9:53 AM: Found Spy Cookie: sb01 cookie
9:53 AM: kalei@jp1.sb01[2].txt (ID = 3288)
9:53 AM: Found Spy Cookie: kount cookie
9:53 AM: kalei@kount[2].txt (ID = 2911)
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: Found Spy Cookie: nextag cookie
9:53 AM: kalei@nextag[2].txt (ID = 5014)
9:53 AM: Found Spy Cookie: offeroptimizer cookie
9:53 AM: kalei@offeroptimizer[2].txt (ID = 3087)
9:53 AM: kalei@ourstory.about[1].txt (ID = 2038)
9:53 AM: Found Spy Cookie: rightmedia cookie
9:53 AM: kalei@rightmedia[1].txt (ID = 3259)
9:53 AM: Found Spy Cookie: domain sponsor cookie
9:53 AM: kalei@search.domainsponsor[2].txt (ID = 2534)
9:53 AM: Found Spy Cookie: shopnav cookie
9:53 AM: kalei@shopnav[1].txt (ID = 3369)
9:53 AM: Found Spy Cookie: sirsearch cookie
9:53 AM: kalei@sirsearch[1].txt (ID = 3379)
9:53 AM: Found Spy Cookie: starware.com cookie
9:53 AM: kalei@starware[2].txt (ID = 3441)
9:53 AM: Found Spy Cookie: trb.com cookie
9:53 AM: kalei@trb[1].txt (ID = 3587)
9:53 AM: kalei@usmilitary.about[1].txt (ID = 2038)
9:53 AM: kalei@web.tickle[2].txt (ID = 3530)
9:53 AM: Found Spy Cookie: websponsors cookie
9:53 AM: kalei@websponsors[2].txt (ID = 3664)
9:53 AM: Found Spy Cookie: burstbeacon cookie
9:53 AM: kalei@www.burstbeacon[1].txt (ID = 2335)
9:53 AM: Found Spy Cookie: myaffiliateprogram.com cookie
9:53 AM: kalei@www.myaffiliateprogram[2].txt (ID = 3032)
9:53 AM: Found Spy Cookie: rednova cookie
9:53 AM: kalei@www.rednova[1].txt (ID = 3246)
9:53 AM: Found Spy Cookie: screensavers.com cookie
9:53 AM: kalei@www.screensavers[2].txt (ID = 3298)
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: Found Spy Cookie: spydeleter.com cookie
9:53 AM: kalei@www.spydeleter[1].txt (ID = 3410)
9:53 AM: Found Spy Cookie: superlogy cookie
9:53 AM: kalei@www.superlogy[1].txt (ID = 3470)
9:53 AM: paul@homestore[1].txt (ID = 2793)
9:53 AM: Found Spy Cookie: netratingsselect cookie
9:53 AM: paul@nnselect[2].txt (ID = 3065)
9:53 AM: Found Spy Cookie: reunion cookie
9:53 AM: paul@reunion[1].txt (ID = 3255)
9:53 AM: Found Spy Cookie: dealtime cookie
9:53 AM: paul@stat.dealtime[2].txt (ID = 2506)
9:53 AM: paul@www.myaffiliateprogram[1].txt (ID = 3032)
9:53 AM: paul@www.reunion[1].txt (ID = 3256)
9:53 AM: Cookie Sweep Complete, Elapsed Time: 00:00:06
9:53 AM: Starting File Sweep
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: Found Adware: bookedspace
9:53 AM: c:\documents and settings\paul\local settings\temp\bs51.tmpbsx32 (1 subtraces) (ID = -2147481352)
9:53 AM: Found Adware: delfin
9:53 AM: c:\documents and settings\all users\application data\nfo (4 subtraces) (ID = -2147468687)
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 AM: Found Adware: look2me
9:53 AM: rlcrt4.dll (ID = 159)
9:54 AM: timessquare[1].exe (ID = 194150)
9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: Found Adware: command
9:55 AM: mte3ndi6odoxng[1].exe (ID = 185985)
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: mte3ndi6odoxng.exe (ID = 185985)
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 AM: Found Adware: apropos
9:55 AM: contextplus[1].exe (ID = 185940)
9:55 AM: contextplus.exe (ID = 185940)
9:55 AM: Found Adware: targetsaver
9:55 AM: tsupdate2[1].ini (ID = 193498)
9:55 AM: npclntax.dll (ID = 146239)
9:55 AM: uupnpmgr.dll (ID = 159)
9:56 AM: stub_113_4_0_4_0[1].exe (ID = 193995)
9:56 AM: stub_113_4_0_4_0.exe (ID = 193995)
9:56 AM: wingenerics.dll (ID = 50187)
9:56 AM: lv6m09j1e.dll (ID = 159)
9:56 AM: e820lifm182a.dll (ID = 159)
9:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: trebates.exe (ID = 83924)
9:57 AM: trebates.exe (ID = 83924)
9:57 AM: sfg_7277.dll (ID = 74246)
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: f8l0li3m18.dll (ID = 159)
9:57 AM: snbapiu.dll (ID = 159)
9:57 AM: sfg_2384.dll (ID = 164073)
9:57 AM: Found Trojan Horse: trojan downloader matcash
9:57 AM: autoit3.exe (ID = 119348)
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 AM: fp8403lqe.dll (ID = 159)
9:57 AM: amicap32.dll (ID = 159)
9:57 AM: pxontobj.dll (ID = 159)
9:57 AM: Found Adware: adtech2005
9:57 AM: adtech2005[1].exe (ID = 194580)
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 AM: sasbkup.dll (ID = 159)
9:58 AM: trebates.exe (ID = 83924)
9:58 AM: npclntax.xpt (ID = 146238)
9:58 AM: Found Adware: powerscan
9:58 AM: power scan.lnk (ID = 72676)
9:58 AM: dc20.lnk (ID = 76596)
9:58 AM: Found Adware: netpal
9:58 AM: gamehouse games.url (ID = 70891)
9:58 AM: big fish games.url (ID = 70885)
9:58 AM: flyordie games.url (ID = 70890)
9:58 AM: dc19.lnk (ID = 76596)
9:58 AM: dc16.lnk (ID = 76596)
9:58 AM: dc15.lnk (ID = 76596)
9:58 AM: Found Adware: shopathomeselect
9:58 AM: mindset1019.sah (ID = 75831)
9:58 AM: Found Adware: ipinsight
9:58 AM: conscorr.inf (ID = 64277)
9:58 AM: File Sweep Complete, Elapsed Time: 00:05:22
9:58 AM: Full Sweep has completed. Elapsed time 00:08:20
9:58 AM: Traces Found: 266
9:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: Removal process initiated
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 AM: Quarantining All Traces: 180search assistant/zango
10:08 AM: Quarantining All Traces: cws-aboutblank
10:08 AM: Quarantining All Traces: icannnews
10:08 AM: icannnews is in use. It will be removed on reboot.
10:08 AM: C:\WINNT\system32\f8l0li3m18.dll is in use. It will be removed on reboot.
10:08 AM: C:\WINNT\system32\sasbkup.dll is in use. It will be removed on reboot.
10:08 AM: Quarantining All Traces: look2me
10:08 AM: look2me is in use. It will be removed on reboot.
10:08 AM: f8l0li3m18.dll is in use. It will be removed on reboot.
10:08 AM: fp8403lqe.dll is in use. It will be removed on reboot.
10:08 AM: sasbkup.dll is in use. It will be removed on reboot.
10:08 AM: Quarantining All Traces: trojan downloader matcash
10:08 AM: Quarantining All Traces: apropos
10:08 AM: apropos is in use. It will be removed on reboot.
10:08 AM: wingenerics.dll is in use. It will be removed on reboot.
10:08 AM: Quarantining All Traces: adtech2005
10:08 AM: Quarantining All Traces: begin2search hijack
10:08 AM: Quarantining All Traces: bookedspace
10:08 AM: Quarantining All Traces: command
10:08 AM: Quarantining All Traces: delfin
10:08 AM: Quarantining All Traces: dollarrevenue
10:08 AM: Quarantining All Traces: downloadplus
10:08 AM: Quarantining All Traces: downloadware
10:08 AM: Quarantining All Traces: e2g
10:08 AM: Quarantining All Traces: ebates money maker
10:08 AM: Quarantining All Traces: ezula ilookup
10:08 AM: Quarantining All Traces: findthewebsiteyouneed hijacker
10:08 AM: Quarantining All Traces: iepagehelper
10:08 AM: Quarantining All Traces: ipinsight
10:08 AM: Quarantining All Traces: ist sidefind
10:08 AM: Quarantining All Traces: my daily horoscope
10:08 AM: Quarantining All Traces: netpal
10:08 AM: Quarantining All Traces: networkessentials
10:08 AM: Quarantining All Traces: powerscan
10:08 AM: Quarantining All Traces: privacyscan
10:08 AM: Quarantining All Traces: safeguard protect
10:08 AM: Quarantining All Traces: search-exe hijacker
10:08 AM: Quarantining All Traces: shopathomeselect
10:08 AM: Quarantining All Traces: spy deleter adware
10:08 AM: Quarantining All Traces: swimsuitnetwork
10:08 AM: Quarantining All Traces: targetsaver
10:08 AM: Quarantining All Traces: twain-tech
10:09 AM: Quarantining All Traces: webrebates
10:09 AM: Quarantining All Traces: whenu
10:09 AM: Quarantining All Traces: zenosearchassistant
10:09 AM: Quarantining All Traces: 360i cookie
10:09 AM: Quarantining All Traces: 888 cookie
10:09 AM: Quarantining All Traces: a cookie
10:09 AM: Quarantining All Traces: about cookie
10:09 AM: Quarantining All Traces: adecn cookie
10:09 AM: Quarantining All Traces: adjuggler cookie
10:09 AM: Quarantining All Traces: adprofile cookie
10:09 AM: Quarantining All Traces: ads.businessweek cookie
10:09 AM: Quarantining All Traces: ask cookie
10:09 AM: Quarantining All Traces: azjmp cookie
10:09 AM: Quarantining All Traces: banners cookie
10:09 AM: Quarantining All Traces: bpath cookie
10:09 AM: Quarantining All Traces: burstbeacon cookie
10:09 AM: Quarantining All Traces: cassava cookie
10:09 AM: Quarantining All Traces: centralmedia cookie
10:09 AM: Quarantining All Traces: clickandtrack cookie
10:09 AM: Quarantining All Traces: columbiahouse cookie
10:09 AM: Quarantining All Traces: dealtime cookie
10:09 AM: Quarantining All Traces: did-it cookie
10:09 AM: Quarantining All Traces: domain sponsor cookie
10:09 AM: Quarantining All Traces: homestore cookie
10:09 AM: Quarantining All Traces: kount cookie
10:09 AM: Quarantining All Traces: military cookie
10:09 AM: Quarantining All Traces: myaffiliateprogram.com cookie
10:09 AM: Quarantining All Traces: netratingsselect cookie
10:09 AM: Quarantining All Traces: nextag cookie
10:09 AM: Quarantining All Traces: offeroptimizer cookie
10:09 AM: Quarantining All Traces: partypoker cookie
10:09 AM: Quarantining All Traces: rednova cookie
10:09 AM: Quarantining All Traces: reunion cookie
10:09 AM: Quarantining All Traces: rightmedia cookie
10:09 AM: Quarantining All Traces: sb01 cookie
10:09 AM: Quarantining All Traces: screensavers.com cookie
10:09 AM: Quarantining All Traces: shopnav cookie
10:09 AM: Quarantining All Traces: sirsearch cookie
10:09 AM: Quarantining All Traces: specificclick.com cookie
10:09 AM: Quarantining All Traces: spydeleter.com cookie
10:09 AM: Quarantining All Traces: starware.com cookie
10:09 AM: Quarantining All Traces: superlogy cookie
10:09 AM: Quarantining All Traces: tickle cookie
10:09 AM: Quarantining All Traces: trb.com cookie
10:09 AM: Quarantining All Traces: upspiral cookie
10:09 AM: Quarantining All Traces: vendaregroup cookie
10:09 AM: Quarantining All Traces: videodome cookie
10:09 AM: Quarantining All Traces: websponsors cookie
10:09 AM: Quarantining All Traces: yieldmanager cookie
10:09 AM: Removal process completed. Elapsed time 00:01:50
********
9:49 AM: | Start of Session, Wednesday, November 23, 2005 |
9:49 AM: Spy Sweeper started
9:49 AM: Your spyware definitions have been updated.
9:50 AM: | End of Session, Wednesday, November 23, 2005 |

#4 wally13

wally13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 23 November 2005 - 01:24 PM

Here is the new Hijackthis log! Thank you, thank you...

Logfile of HijackThis v1.99.1
Scan saved at 10:24:18 AM, on 11/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\msniu3.exe
C:\WINNT\system32\msniq.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger 323] msniu3.exe
O4 - HKLM\..\Run: [MSN Messenger If2] msniq.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [MSN Messenger 323] msniu3.exe
O4 - HKLM\..\RunServices: [MSN Messenger If2] msniq.exe
O4 - HKCU\..\Run: [MSN Messenger 323] msniu3.exe
O4 - HKCU\..\Run: [MSN Messenger If2] msniq.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINNT\Windows Update Setup Files\ie6setup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:38 AM

Posted 23 November 2005 - 02:16 PM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

O4 - HKLM\..\Run: [MSN Messenger 323] msniu3.exe
O4 - HKLM\..\Run: [MSN Messenger If2] msniq.exe
O4 - HKLM\..\RunServices: [MSN Messenger 323] msniu3.exe
O4 - HKLM\..\RunServices: [MSN Messenger If2] msniq.exe
O4 - HKCU\..\Run: [MSN Messenger 323] msniu3.exe
O4 - HKCU\..\Run: [MSN Messenger If2] msniq.exe

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\system32\msniu3.exe
C:\WINNT\system32\msniq.exe

_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options. m
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David

#6 wally13

wally13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 23 November 2005 - 04:22 PM

I completed all the tasks and performed another Hijackthis log. Here it is! Thank you thank you thank you a hundred times over!

Logfile of HijackThis v1.99.1
Scan saved at 1:19:30 PM, on 11/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Wireless LAN Utility\WlanUtility.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Lan Utility.lnk = C:\Program Files\Wireless LAN Utility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: RunServices - C:\WINNT\system32\MGGSVC.DLL (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:38 AM

Posted 23 November 2005 - 04:25 PM

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

David

#8 wally13

wally13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 23 November 2005 - 04:52 PM

Here is the log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\find it

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 44BF-348B

Directory of C:\WINNT\System32

11/20/2004 08:05p <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 33,832,267,776 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 44BF-348B

Directory of C:\WINNT\System32

11/20/2004 08:05p <DIR> dllcache
09/27/2003 12:51p <DIR> GroupPolicy
0 File(s) 0 bytes
2 Dir(s) 33,832,267,776 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 44BF-348B

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 44BF-348B

Directory of C:\WINNT\System32

08/23/2001 04:00a 147,483 scrrun.dll.tmp
12/07/1999 04:00a 2,577 CONFIG.TMP
2 File(s) 150,060 bytes
0 Dir(s) 33,832,267,776 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{58D573D7-960A-519C-7C56-8F5E43DC6609}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\MGGSVC.DLL"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Smapp"="Smtray.exe"
"Promon.exe"="Promon.exe"
"HP Network Registry Agent"="C:\\WINNT\\system32\\hpnra.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ntdll.dll"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:38 AM

Posted 24 November 2005 - 01:15 PM

Download killbox from here:

KillBox

Unzip the folder to your desktop.

1. Start Killbox.exe
2. Select the Delete on Reboot option.
3. Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\system32\MGGSVC.DLL

4. Go to the File menu of Killbox, and choose Paste from Clipboard.
5. Click the Delete File button that is a red-and-white X. When asked if you want to delete these files say Yes. When asked if you want to reboot now, say No.
6. Exit Killbox.
_____________

Fix this with HijackThis:

O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
______________

Then you will have a Clean Log!! Posted Image
How's everything running?

#10 wally13

wally13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 24 November 2005 - 02:02 PM

The pc is running great! I can't thank you enough for all your help. I think your site is the best and I will tell as many people as I can about your service. I will definitely make a donation as well to help continue your effort in fighting the evil advertising empire. Let me know if there is anything else I can do for you.

Sincerely,

Paul Mendiola
San Diego, CA

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:38 AM

Posted 24 November 2005 - 04:25 PM

Ok! Glad i was able to help you! :thumbsup:

The log is clean! :flowers:

If i have helped you please consider making a donation using the "make a donation" button in my signature. My help is free, but please consider it to keep me fighting spyware for you and others! :trumpet: :inlove:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

David

#12 wally13

wally13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 25 November 2005 - 05:46 PM

Unfortunately, I am using Win 2000 so there isn't a System Restore option. Is there another way to do this?

Thanks!

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:38 AM

Posted 26 November 2005 - 03:37 AM

Hmmm, sorry there is no other way, and is just an added security feature for XP! :thumbsup:

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users